The Authors Guild, Inc. et al v. Hathitrust et al
Filing
137
DECLARATION of (REDACTED) Cory Snavely in Opposition re: 81 MOTION for Summary Judgment.. Document filed by Hathitrust. (Petersen, Joseph)
KILPATRICK TOWNSEND & STOCKTON L L P
Joseph Petersen (JP 9071)
Robert Potter (RP 5757)
1114 Avenue of the Americas
New York, N Y 10036
Telephone: (212) 775-8700
Facsimile: (212) 775-8800
Email: jpetersen@kilpatricktownsend.com
Joseph M . Beck (admitted pro hac vice)
W. Andrew Pequignot (admitted pro hac vice)
Allison Scott Roach (admitted pro hac vice)
1100 Peachtree Street, Suite 2800
Atlanta, Georgia 30309-4530
Telephone: (404) 815-6500
Facsimile: (404) 815-6555
Email: jbeck@kilpatricktownsend.com
Attorneys for
Defendants
UNITED STATES DISTRICT COURT
SOUTHERN DISTRICT OF NEW YORK
THE AUTHORS GUILD, INC., E T A L . ,
Plaintiffs,
Case No. 11 Civ. 6351 (HB)
v.
HATHITRUST,ETAL.,
Defendants.
DECLARATION OF CORY SNAVELY IN OPPOSITION
TO PLAINTIFFS' MOTION FOR SUMMARY JUDGMENT
I , Cory Snavely, pursuant to 28 U.S.C. ยง 1746, hereby declare as follows:
1.
I am the Manager of Library IT Core Services at the University of Michigan
Library. I submit this declaration in opposition to Plaintiffs' motion for summary judgment.
Unless otherwise noted, I make this declaration based upon my own personal knowledge.
2.
As Manager of Library IT Core Services at the University of Michigan
("Michigan"), I am responsible for, among other things, the continued development and
maintenance of the HathiTmst Digital Library ("HDL") server and storage infrastmcture, which
is where HDL content is stored and HDL services operate.
3.
I have served as Manager of Library IT Core Services at Michigan for more than
thirteen (13) years. During my tenure at Michigan, I have designed and overseen the
development of the library's technology infrastmcture. I n or about December 2004,1 began to
oversee the development of the infrastmcture that would ultimately underlie H D L when it
laimched in 2008.
4.
M y duties include ensuring the security of the works within the HDL. This
entails, among other things, ongoing attention to a rigorous security program for the entire
Michigan library's technology environment. I manage a team of five in connection with this
work.
5.
I have a degree in Systems Analysis which I received from Miami University in
1992.1 have participated in numerous groups on campus to help guide Michigan's strategies for
security and storage. For example, I am currently serving on the Information and Infrastmcture
Assurance Council, a key oversight and decision-making body, which provides guidance to the
campus on security initiatives, programs, and policy relating to computer security.
A.
The Unblemished Security Record of the HDL
6.
I have reviewed the declaration of Dr. Benjamin Edelman, which the Plaintiffs
have submitted in connection with their motion for summary judgment. In that declaration, Dr.
Edelman provides a list of generalized threats to the security of the HDL, but without regard to
the steps already taken by the library defendants (the "Libraries") to minimize i f not elimmate
2
US200S 3674177
altogether the threats he identifies. His approach is akin to assessing the safety of commercial air
travel by sximmarizing the ways in which a plane may fall from the sky without taking note of all
of the steps taken by the aviation industry to guard against such calamity.
7.
In fact, Dr. Edelman apparently had no choice but to limit his report to
generalities. This is because he never attempted to stady the specific security measures taken by
Michigan to protect the HDL and admits that he would not be qualified to conduct such a risk
assessment in any event.
8.
Dr. Edelman, who has degrees in economics, not computer science, sat for a .
deposition ia the Google lawsuit two weeks before submitting his declaration in this action. He
confessed during that deposition that " I don't know about all of the security systems that [the
Libraries] have." (Edehnan Tr. at 248:11-12). He also conceded that apart from information
contained in a risk assessment conducted by Michigan to improve the security of the HDL, " I
don't think I have knowledge o f [Michigan's] current security." (Edelman Tr. at 268:12-18). He
testified that i f a company asked him to conduct an evaluation of its security measures, " I don't
think I would be the best person to evaluate their security systems, but I think I would be able to
assist them in selecting an appropriate person." (Edelman Tr. at 288:15-18). Tme and correct
copies of relevant excerpts of Dr. Edelman's deposition testimony are attached hereto as Exhibit
A.
3
US2008 3674177
10.
Based upon my experience in securing computer systems and first-hand
knowledge of the security controls used to protect the HDL, I believe that the generalized risks
identified by Dr. Edelman, which are customary and typical risks faced by the operators o f any
large service accessible through the Intemet (including services demanding a high level of
security such as Intemet banking), do not render the works within the HDL corpus insecure.
B.
The Security Measures Protecting the HDL From the General Risks Dr. Edelman
Identifies.
12.
Dr. Edelman, in paragraphs 16 through 26 of his declaration, sets out a number o f
generalized security risks associated with maintaining a digital library such as the HDL. The
risks he identifies are, in fact, well known to experts in computer security and my team has taken
a number of precautions to minimize them, i f not eliminate them altogether.
13.
Specifically, in paragraph 16, Dr. Edehnan claims that "pirates could extract book
copies through defects in the security of a provider's system." Dr. Edelman continues by
' Additional background on the security measures taken to protect the HDL is found in the June
28, 2012 declaration o f the HathiTrust's Executive Dkector, John Wilkin, submitted m support
of the Libraries' motion for summary judgment.
4
US2008 3674177
claiming that unauthorized individuals could gain access to digital copies of works through
defects in the physical or virtual access controls guarding the servers housing the digital copies.
Dr. Edelman also claims in this paragraph that "[d]efects could also arise through flaws in the
operating system, database server, web server, or other software run on a provider's servers; such
flaws have been widespread in even the most popular server software" and claims that "defects
could arise through the provider's custom software."
14.
These are all well-knovra, common risks. The H D L uses industry best practices to
greatly reduce the possibility of unauthorized access of the type discussed in paragraph 16 of Dr.
Edelman's declaration:
^ Frequently, commercial enterprises do not apply updates because their business requirements
demand that running systems be unchanged and xmtouched; this type o f approach to security can,
in fact, expose systems to some of the security risks identified by Dr. Edelman. HDL systems, in
contrast, are designed to be maintained regularly and continuously kept up-to-date and secure.
5
US2008 3674177
16.
The security controls identified above (see paragraph 14), particularly the double
perimeter firewalls, greatly minimize the risk of access through exploitation of errors in security
configurations. Further, Dr. Edelman's selective use of Mr. Wilkin's testimony falsely suggests
that the HDL experiences disproportionately frequent, targeted attacks as compared to similar
17.
In paragraph 18 of his declaration, Dr. Edelman cites the risk of a "rogue
employee" that "intentionally redistributes[s] book copies." In fact, employee access to incopyright materials is far more restricted than Dr. Edelman suggests:
6
US2O08 3674177
20.
Dr. Edelman, in paragraph 20 of his declaration, speculates that "any error made
by an employer could create a security breach allowing hackers to access book copies and
8
US2008 3674177
23.
Dr. Edelman, in paragraph 22 of his declaration, asserts that "[e]ven i f Defendants
attempt to implement security controls and other limitations on users' ability to download book
copies, experience suggests that users will exceed those limitations." He juxtaposes this claim
26.
Dr. Edelman asserts in paragraph 23 of his declaration that the Libraries permit
"non-consumptive research" aimed at analyzing patterns in the texts found in the HDL and he
9
US2O08 3674177
claims that this fimctionality increases the risk of a security breach. The entire premise
underlying this assertion is incorrect however. The HDL only permits research on material
determined to be in the public domain. If, in the fliture, the Libraries permit non-consumptive
research over in-copyright text, security measured would be adopted to negate the security risks
identified by Dr. Edelman, as well as other risks he did not.
27.
In sum. Dr. Edelman's report offers the Court nothing more than a collection of
hypothetical risks without any countervailmg assessment of the ways hi which the HDL is
protected against such risks. A detailed assessment of the HDL's security protocols in fact
establishes that the risk of a security breach is exceedingly low, well within the guidelines for a
tmstworthy repository o f digital information.
I declare under penalty of perjury that the foregoing is tme and correct.
Executed: M y 20, 2012
10
U.S2008 3674177
EXHIBIT A
Page 1
Page 3
INDEX
1
2
UNITED STATES DISTRICT COURT
SOUTHERN DISTRICT OF NEW YORK
------------------------THE AUTHORS GUILD, INC., )
ASSOCIATIONAL PLAINTIFF, )
BETTY MILES, JOSEPH
)
GOULDEN, AND JIM BOUTON, )
INDIVIDUALLY AND ON
)
BEHALF OF ALL OTHERS )
SIMILARLY SITUATED,
) C.A. 05 CV 8136-DC
Plaintiffs
) Volume: I
vs.
)
GOOGLE, INC.
)
Defendant
)
-------------------------
WITNESS
DIRECT CROSS REDIRECT RECROSS
3
BENJAMIN G. EDELMAN
4
BY MR. GRATZ 6
5
6
7
8
EXHIBITS
NUMBER
PAGE
9
Exhibit 1 Expert Report of Benjamin Edelman
17
Exhibit 2 Whenu.com Emergency Motion
98
10
11
12
13
14
15
DEPOSITION OF EXPERT WITNESS, BENJAMIN G. EDELMAN,
before Avis P. Barber, a Notary Public and Registered
Professional Reporter, in and for the Commonwealth
of Massachusetts, at the Harvard Business School,
Baker Library, 25 Harvard Way, Boston, Massachusetts,
on Thursday, June 14, 2012, commencing at 10:03 a.m.
16
17
Exhibit 3 Initial Expert Report of Doctor
Benjamin Edelman Concerning Industry
Practices and Activities of
Valueclick
101
Exhibit 4 Expert Report of Benjamin Edelman 112
Exhibit 5 Document entitled "Google Toolbar
Tracks Browsing even after User
Choose Disable"
129
Exhibit 6 Search Engine Land, Blog Post,
131
1/26/10
18
19
20
Exhibit 7 Document entitled "Privacy Lapse at
Google JotSpot"
137
Exhibit 8 Document entitled "Google's JotSpot
Exposes User Data"
139
21
Exhibit 9 Declaration of Benjamin Edelman
143
22
Job No. 148413
PAGES 1 - 312
23
24
25
Exhibit 10 Supplemental Declaration of Benjamin
Edelman
143
Page 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Page 4
1
2
APPEARANCES:
On behalf of the Plaintiffs:
BONI & ZACK, LLC
15 St. Asaphs Road
Bala Cynwyd, Pennsylvania 19004
By: Michael J. Boni, Esquire
Tel: 610-822-0201
Fax: 610-822-0206
mboni@bonizack.com
On behalf of the Defendant
DURIE TANGRI
217 Leidesdorff Street
San Francisco, California 94111
By: Joseph C. Gratz, Esquire
Tel: 415-362-6666
Fax: 415-236-6300
jgratz@durietangri.com
ALSO PRESENT: Jody Urbati, Videographer
NO.
3
4
5
6
7
E X H I B I T S (Continued)
PAGE
Exhibit 11 Document entitled "The Online
Economy: Strategy and
Entrepreneurship"
156
Exhibit 12 Declaration of Benjamin G. Edelman 161
Exhibit 13 Document entitled "Advertisers Using
WhenU"
164
8
Exhibit 14 Exhibit 1
171
9
10
Exhibit 15 Document entitled "Google Books
Partner Program Standard Terms and
Conditions"
213
11
Exhibit 16 Search Inside, Publisher Sign-Up
221
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Exhibit 17 Participating Authors' Reprint
Agreement v2.0
228
Exhibit 18 Cooperative Agreement
267
Exhibit 19 Document entitled "NDA Never Existed" 270
Exhibit 20 Benjamin Edelman's Thesis
306
EXHIBITS RETAINED BY THE COURT REPORTER
1 (Pages 1 to 4)
Veritext National Deposition & Litigation Services
866 299-5127
Page 5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PROCEEDINGS
THE VIDEOGRAPHER: Good morning. We
are on the record at 10:03 A.M. on June 14th,
2012. This is the videotaped deposition of
Benjamin Edelman. My name is Jody Urbati, here
with our court reporter Barbara Avis. We are
here from Veritext National Deposition and
Litigation Services at the request of counsel.
This deposition is being held at
Harvard Business School in the city of Boston,
Massachusetts. The caption of this case is the
Authors Guild versus Google, Inc. Please note
that the audio and video recording will take
place unless all parties agree to go off the
record. Microphones are sensitive and may pick
up whispers, private conversations and cellular
interference.
At this time will counsel and all
present identify themselves for the record.
MR. GRATZ: Joseph Gratz from Durie
Tangri, LLP in San Francisco for defendant
Google.
MR. BONI: Michael Boni from Boni &
Zach, Bala Cynwyd, Pennsylvania for plaintiffs.
THE WITNESS: Benjamin --
Page 7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Q. You have an undergraduate degree and
a Ph.D. in economics; is that right?
A. Yes.
Q. Do any of the opinions stated in your
report apply economic analysis?
A. I think they do broadly understood,
yes.
Q. How so?
A. The report considers the incentives
of various parties, the factors motivating them
to act or not to act and the likely consequences
of those incentives.
Q. Are there any specific economic
methods that are applied in your report?
MR. BONI: Object to form.
A. I'm not sure I understand what you
mean.
Q. What economic methods are applied in
your report?
MR. BONI: Same objection.
A. My training and economics teaches me
to understand and analyze incentives in
considering the actions of any rational actor.
That method of analysis of considering and
applying incentives is applied throughout the
Page 6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. BONI: I'm sorry, and here
representing the witness.
THE VIDEOGRAPHER: Thank you. The
witness will be sworn in and we can proceed.
BENJAMIN G. EDELMAN,
A witness called for examination, having been
duly sworn, testified as follows:
DIRECT EXAMINATION
BY MR. GRATZ:
Q. Good morning.
A. Good morning.
Q. Could you state your name for the
record, please.
A. Benjamin Edelman.
Q. And you're an assistant professor at
Harvard Business School; is that right?
A. Yes.
Q. Do you have tenure?
A. No.
Q. You have a number of degrees from
Harvard; is that right?
A. Yes.
Q. Are any of those degrees in computer
science?
A. No.
Page 8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
report.
Q. Can you tell me more about that
method?
MR. BONI: Objection to form.
A. Well, you know I think it's pretty
intuitive. It can be structured in a formal
algebraic model when a particular situation
calls for that approach. It can be studied
empirically through large sample or small sample
data when the context calls for that approach.
It can also inform understanding and analysis
without specific application of modeling or of
large sample data analysis.
Q. Did you apply any algebraic modeling
in preparing your report?
A. No.
Q. Did you apply any empirical large
sample data analysis in preparing your report?
A. I wouldn't call it large sample data
analysis. There are sections that draw on
specific examples considered individually which
probably is a better example of small sample
data analysis.
Q. And those are the particular
anecdotes that you set forth in your report?
2 (Pages 5 to 8)
Veritext National Deposition & Litigation Services
866 299-5127
Page 245
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
it's pretty straightforward that if you have
more limited resources, your ability to expand
those resources on any given project is going to
be correspondently limited.
Q. In your view is it necessarily the
case that smaller and less sophisticated
entities have worse security than larger and
more sophisticated entities?
MR. BONI: Object to form.
A. Not always. Sometimes with simpler
systems or with less valuable contents to
safeguard, the security of a smaller entity can
be more than satisfactory. On the other hand,
when one flips around those conditions, a small
entity guarding a very large gem, one could
quickly get into trouble.
Q. Are your statements in Paragraph 18
of your report based on a survey of companies of
various sizes considering their security
measures?
A. No.
Q. Can you provide an example of one of
the smaller and less sophisticated companies to
which you refer?
A. For example, in the context of domain
Page 247
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
report, you say that attackers can take
advantage of even a brief period when a single
book provider is insecure. You see that?
A. Yes.
Q. Is that true today?
A. Today there aren't so many book
providers. We've discussed only two today.
Both of them large, sophisticated companies with
impressive information security defenses;
whereas, the premise of this section,
Paragraph 13, is that there might be
significantly more in the future, and they might
look quite different.
Q. In the event of a fair use ruling?
A. Correct, which has been the premise
of the entire section where we've been here.
Q. Have you -- so it's your view that
today's book providers like Google and Amazon
have a different and higher level of security
than tomorrow's book providers might in event of
a fair use ruling, such that smaller entities
would enter the market and present the risks
discussed in this section; is that right?
A. That's right.
Q. Turning to Paragraph 20, you say, "I
Page 246
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
names, there used to be one company, VeriSign
Network Solutions that was the sole vendor of
.com domain names. When that market was opened
up to competition, there were a variety of
benefits, but there have also been some
downsides, including that some of the smaller
guys have been hacked in various ways, have
allowed their servers to be taken down by
something as routine as a power outage and have
otherwise failed to lived up to their
contractual commitments. In contrast, the
larger vendors in that space have largely
succeeded in living up to their contractual
commitments.
Q. Are you aware of any in The Book
Space?
MR. BONI: Do you understand the
question?
A. I do, but I think it's a little bit
speculative at this point that there aren't that
many smaller sites holding digital copies of
books and presenting them in snippet form. If
there are any small such companies, I guess I
don't know about them.
Q. Turning to Paragraph 19 of your
Page 248
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
understand that the Google Library Project
includes providing to the library partners a
full digital copy of the books the libraries
allowed Google to scan. Breaches at the
security systems at these libraries" -- excuse
me -- "breaches in the security systems at these
libraries, could facilitate book piracy." Do
you know what security systems the libraries who
store books such as the University of Michigan
have in place?
A. I don't know about all of the
security systems that they have.
Q. How do they compare to the security
systems that, for example, iUniverse which is
the party to the agreement in Exhibit 17 has in
place?
MR. BONI: Object to form. He just
said he's not sure what the security systems are
in the libraries.
A. I'm also not sure what the security
systems are at iUniverse, so I really don't
think I can make a comparison.
Q. You, likewise, couldn't make a
comparison to the security systems that Google
or Amazon has in place?
62 (Pages 245 to 248)
Veritext National Deposition & Litigation Services
866 299-5127
Page 249
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A. I don't know everything that I'd want
to know in order to make that comparison. In
general, I think there's good reason to suspect
that the libraries will have significantly lower
levels of security.
Q. But you don't know one way or the
other?
A. I don't know one way or the other,
and furthermore, I'm not sure the answer is
knowable just yet. We need to think about what
level of security libraries will have several
years from now. It's hard to say, sitting here
today what they'll do in several years.
Q. Are you aware of any books being
pirated or stolen from a research library
archived with scans made by Google?
A. No.
Q. Turning to Paragraph 21, you say,
"I've not been informed of all the ways that
libraries intend to use the book contents data
they receive from Google, nor have I been
informed how libraries intend to secure that
data. But the information currently available
indicates that libraries' actions present a risk
of book piracy." You see that?
Page 251
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Q. Did any of your work on the Multnomah
County case or the interviews with librarians
and other librarian staff members in that case
form a basis for any of the opinions you render
in your report in this case?
A. It's not a basis. It's part of my
overall professional background consistent with
expert service.
Q. Do you know whether the University of
Michigan is storing book scans in its normal
library information systems or in a separate
system?
MR. BONI: Object to form.
A. I don't know one way or the other.
Q. What information, additional to the
information you have about the library's
security measures, would permit you to better
assess the risks?
MR. BONI: What risks?
Q. The risks you discussed in Paragraphs
20 and 21.
A. Understanding both what they do now
and what they will do in the future, what they
commit in some sort of a binding contractual
sense to do or not to do. I need to understand
Page 250
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A. Yes.
Q. You don't know what security measures
the libraries have in place today; is that
right?
A. I don't know all of what they have in
place.
Q. What do you mean by "information
currently available" as you use it in Paragraph
21?
A. Yes, in Exhibit C, I cite the
Hathitrust materials which I did review. That
gives some information about some of the
libraries' security systems. I actually have
quite a bit of experience with library
information systems from the Multnomah County
Public Library case that we discussed
previously.
I've spent time interviewing
librarians. I've spent time with the CIOs of
libraries. I've spent time in the library
computer systems, understanding how they work
and how they interoperate and have come to have
a general understanding of the overall culture
and approach to information sharing that's
common in libraries.
Page 252
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the servers on which the data is to be stored,
the physical security, the network security, the
logical security, software level, user accounts,
credentialing.
This sounds like a full security
audit. I'm not sure I'm the best person to do
it, but in any event, it requires understanding
quite a bit about their practices, both in the
present and their future practices, which is a
little bit harder to investigate in
anticipation.
Q. Turning to Paragraph 22, you refer to
a student who used MIT library access to
download 4.8 million articles and other
documents. You see that?
A. Yes.
Q. Is that man named Aaron Swartz?
A. Yes.
Q. Aaron Swartz is being charged
criminally for that activity; is that right?
A. Yes.
Q. And those charges are currently
pending; is that right?
A. That's my understanding.
Q. What was the effect on the value of
63 (Pages 249 to 252)
Veritext National Deposition & Litigation Services
866 299-5127
Page 265
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A. Yes.
Q. Do you consider that to be in
violation of intellectual property rights?
A. I think it's an infringement of the
trademark, and the question is whether a fair
use defense applies. There is a doctrine of
fair use for trademarks and stylized images. I
think it's a plausible fair use defense. There,
I'd really have to apply the factors and read
the cases. I'm much less familiar with the Fair
Use Doctrine as it applies to stylized images
and logos.
Q. The Apple prank which you refer
occurred in October of 2011; is that right?
A. I don't recall.
Q. Did it occur shortly after the death
of Steve Jobs?
A. If you say so.
Q. Did students display the Apple logo
in the clock tower of Maseeh Hall at MIT in
honor of Steve Jobs in the prank you referred to
in Paragraph 25?
A. Now, that could be. I don't recall.
Q. Do you think that that prank is
relevant to the issues in this case?
Page 267
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
of 2004?
A. I don't know.
Q. Did it occur when the Red Sox made it
to the World Series?
A. I don't know.
Q. Were the -- do you think that the
students celebrating the Red Sox making it to
the World Series by displaying the logo on the
dome of the university building was intellectual
property infringement?
A. The law is what it is, and it's not
for me to rewrite trademark law. I wouldn't be
surprised if that is infringement as a matter of
law, and fair use defense might or might not
apply. It wouldn't shock me if you said that to
do that a license must be paid to the Red Sox,
and if you don't pay it, then you're in
violation of the law.
MR. GRATZ: Mark as Exhibit 19, this
document. I want to note for the record before
I hand it to the witness that despite the
confidential legend at the bottom of this
document, this is not a confidential document.
(Document marked as Exhibit No. 18
for identification.)
Page 266
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A. I can certainly see how it would seem
peripheral. On the other hand, the fact that
students are well known to disregard
intellectual property is anything but
peripheral. It's well known that Napster was
most used on college campuses. There were
distinctive trends. You could see the number of
users signed into Napster decrease when major
schools went onto spring break. So the
relationship between students, university
libraries and piracy is not peripheral.
Q. Could you tell me about the Red Sox
logo prank you referred to in Paragraph 25?
A. I don't recall. I went through the
site, looked at the distinctive images
memorializing the pranks, but I didn't note them
in great specificity.
Q. Do you consider that an instance of
piracy?
A. I'm not sure. I do think it's
probably an instance of trademark infringement,
and it might be subject to a fair use defense.
Q. The prank you referred to in
Paragraph 25 with respect to the logo of the
Boston Red Sox, did that prank occur in October
Page 268
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Q. You have before you what's been
marked as Exhibit 18. Do you recognize this
document?
A. Yes.
Q. Is this the document to which you
refer in Paragraph 26 of your report?
A. I think so.
Q. Do you know what security measures
the University of Michigan has in place?
A. That's discussed in part in this
document.
Q. Aside from this document, do you have
any knowledge other than what is in this
document of security measures that the
University of Michigan has in place?
A. Aside from what's discussed in this
document, I don't think I have knowledge of
their current security.
Q. Is it your opinion that an author
would not agree to have his work stored by the
University of Michigan without greater security
terms than those set forth in Exhibit 18?
MR. BONI: Object to form.
A. I'm not sure. It all depends on what
the author gets in exchange. If they get zero,
67 (Pages 265 to 268)
Veritext National Deposition & Litigation Services
866 299-5127
Page 285
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
to pass in the event of a fair use ruling in
favor of Google?
MR. BONI: Object to form. You want
a mathematical response to that question?
MR. GRATZ: Whatever the response the
witness has for me.
MR. BONI: Object to form.
A. I don't know. It would be easier to
say once that fair ruling resulted, if it did
result, once we see who comes along and scans
which books and stores them in what ways, until
then, it's just a little bit too speculative for
me to want to put a number on it, but it
certainly is a serious concern.
Q. What's the magnitude of the harm in
dollars? The harm here, I mean the harm that
you were discussing in Paragraph 38.
MR. BONI: Object to form.
A. I'm not sure. It's difficult to put
a dollar value on it, but I do think it's
significant. If you asked a publisher what
would they be willing to pay to have a complete
protection against piracy, to be able to print
their books on uncopyable paper or with magical
ink, I think you'd find publishers would be
Page 287
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. BONI: Objection. You know he's
not a damages expert, Joe.
Q. You can answer.
A. I have not. I'm not a damages
expert.
Q. Has a company ever come to you and
asked you to evaluate the risk of intrusion into
their computer systems which protects books?
A. No.
Q. Has a company ever come to you and
asked you to evaluate the risk of intrusion into
their computer systems at all?
A. That seems like the kind of thing
someone would have asked me to do at some point.
I just need to take a moment to think about it.
Certainly I've thought about that
question for the organizations which -- with
which I've had long-term relationships. So, for
example, when I was running the Berkman Center
server, that was a question I thought about. I
thought about it with ICANN. I've thought about
it as to portions of Harvard Business School.
I've thought about it with Wesley as to the
servers that we operate together, as to paying
clients that come specifically for that.
Page 286
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
willing to pay a significant portion of their
enterprise values in order to get that magical
technology.
Q. And you consider that to be the
measure of the magnitude of the harm set forth
in Exhibit -- in Paragraph 38?
MR. BONI: Object to form.
A. It's not that that's how you'd
measure it, but that's the sort of thought
experiment one would do.
Q. How would you measure it?
A. On thinking about the way that other
large harms are measured, how do we assess the
value of a life when a life is taken away from a
person? How do we assess the value of a plane
crash or a nuclear disaster? It's really not my
area of expertise. It's not something I've
opined on here. But here I consider the
totality of future lost profits. So I do my
best to figure out what profits would have been
and then what they will be as a result of the
loss, and I subtract those two numbers, and that
would be the starting point for the harm.
Q. Have you done that in preparing your
report?
Page 288
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I think it would be unusual for
anyone to seek my assistance for that solely and
specifically, but if they already knew me from
something else, I can think of a couple of
clients who have sought assistance with problems
generally in that vein based on prior
relationships.
Q. If a company came to you and asked
you to evaluate the risk of intrusion into its
computer systems which protect books, would you
accept the assignment?
MR. BONI: Object to form. That's
the entire hypothetical?
MR. GRATZ: That's the question.
A. I don't think I would be the best
person to evaluate their security systems, but I
think I would be able to assist them in
selecting an appropriate person. I would be
able to guide that person towards the areas of
greatest concern, perhaps review their initial
report, and suggest areas for extension and
further inquiry.
Q. What process would you recommend be
undertaken to evaluate the risk of intrusion
into those computer systems that protect books?
72 (Pages 285 to 288)
Veritext National Deposition & Litigation Services
866 299-5127
Page 289
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A. I suppose it would all depend on what
books I was trying to protect, what I was trying
to protect them from, what access I needed to
allow. The easiest thing to do to prevent
unauthorized access is to prevent all access by
destroying the digital records, but I imagine
that wouldn't be what someone hired me to tell
them. They'd want some way to use it for some
purposes while disallowing use for other
purposes.
Q. If a company came to you and asked
you to evaluate the risk of an intrusion into
their computer systems which protect books and
which host books for the purpose of making
snippets available in response to searches, what
process would you take to under -- to make that
evaluation?
A. Well, I think I would -- I would
consider the sorts of security systems that
we've discussed a couple times today in
different parts of our time together as to
physical security, network security, software
security, application level security, human
resources and internal controls. I'd consider
each of those. Each would be significant. Each
Page 291
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
at Google. I'd look at my organizations's
experience or the client's organization's
experience with rogue employees.
When we have a thousand engineers,
how many of them turn out to be bad apples, how
many bad ones do you get out of a thousand? Is
there any way to prevent two of them from acting
together in concert? Could we have an audit
trail that prevents this kind of copying and
that kind of copying? Is it possible to make an
audit trail that's so robust that even a senior
engineer can't turn it off? Because we know
some of the problems occur from senior engineers
who can bypass the ordinary control.
So that's the kind of question I'd be
asking as to that facet, but to be sure, each of
the facets would require a different type of
analysis.
Q. Did you do any of that in preparing
your report in this case?
A. I considered those kinds of
approaches. The data and information required
aren't available to me and weren't necessary in
order to reach the conclusions set out in my
report.
Page 290
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
would have multiple facets within it.
And then my analysis would be
informed, importantly, by the material that I
was holding. If it was unique and one of a kind
and highly sought after, then I would be
particularly concerned about the skills of my
intruders. And if I needed to allow massive,
high-volume access by a large number of
different users, potentially some of them fake
or automated or robotic, I would be even more
concerned, and I would need to be open to the
possibility, the very real possibility that I
couldn't do this with the required level of
quality and would need to revisit my plans.
Q. What information would you need to
evaluate the risk of intrusion into such a
system which stores books for the purpose of
making snippets available in response to
searches, for example?
A. One would need to think about each of
the aspects of security just discussed. So for
example, as to human resources security, making
sure that there isn't a rogue employee who takes
the data in the way that other rogue employees
have done other untoward things, including even
Page 292
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Q. Why weren't they necessary? Would
having them have aided you in reaching your
conclusions?
A. Perhaps I could have reached
additional conclusions. I imagine that with
enough study, I might get to the point where I
was prepared to put a number on some of the
probabilities. There's this probability per
year of this kind of bad thing happening if you
use these controls. I think that is an
estimatable number. One can estimate even these
very small probabilities with enough analysis
and enough review, but it's quite difficult, and
I didn't consider it necessary or appropriate,
given what I was asked to do in this report at
this time.
Q. Did you run any bargaining
experiments in connection with your report?
A. No.
Q. Did you perform any statistical
analysis in connection with your report?
A. No.
Q. In signing your own consulting
agreements, have you performed market checks
regarding terms?
73 (Pages 289 to 292)
Veritext National Deposition & Litigation Services
866 299-5127
Page 309
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Q. Turning to the references cited page
of your senior thesis on page 77, under G, do
you see a citation to a book by A. Greco called
The Book Publishing Industry?
A. Yes.
Q. And turning to page 33 of your senior
thesis, you see the bottom of page 33 it says,
"I further add two promotion-specific variables
to investigate market trends noted by Greco
(1997) in discussing clumping of book sales over
time"?
A. Yes.
Q. Is that a citation to the Greco work
titled The Book Publishing Industry cited in
your references cited section?
A. Seems to be.
Q. Do you have an opinion as to Albert
Greco's expertise regarding The Book Publishing
Industry?
A. Not really.
MR. BONI: Are you done with this,
Joe?
MR. GRATZ: Yes. Nothing further.
MR. BONI: I have nothing.
THE VIDEOGRAPHER: Here ends this
Page 311
1
2
CERTIFICATE
COMMONWEALTH OF MASSACHUSETTS.
MIDDLESEX, SS.
3
4
5
6
7
8
9
I, Avis Barber, Registered Professional
Reporter and Notary Public, in and for the
Commonwealth of Massachusetts, do hereby certify
that:
BENJAMIN G. EDELMAN, the witness whose
deposition is hereinbefore set forth, was duly
sworn by me, that I saw a picture identification
for him in the form of his Harvard College
Identification card, and that the foregoing
transcript is a true and accurate transcription
of my stenotype notes to the best of my
knowledge, skill and ability.
10
11
12
13
14
15
16
I further certify that I am not related to
any of the parties in this matter by blood or
marriage and that I am in no way interested in
the outcome of this matter.
IN WITNESS WHEREOF, I have hereunto set my
hand and notarial seal this 20th day of June
2012.
--------------------------Avis Barber, RPR
Notary Public
My commission expires: July 30, 2015
17
18
19
20
21
22
23
24
25
Page 310
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
deposition. Off the record, 6:18 p.m.
(Whereupon, the deposition was
concluded at 6:18 p.m.)
Page 312
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I declare under penalty of perjury
under the laws that the foregoing is
true and correct.
Executed on _________________ , 20___,
at _____________, ___________________________.
__________________________
BENJAMIN G. EDELMAN
78 (Pages 309 to 312)
Veritext National Deposition & Litigation Services
866 299-5127
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?